Tag Archives: Networking

Installing Snorby

This guide will help you with installing Snorby on a freshly installed Ubuntu 12.04 LTS server. We’ll be using the latest version from the git repository.

Install required dependencies

Snorby uses a number of libraries and tools. They should be installed before we’re going to install Snorby.

# apt-get install apache2 git imagemagick wkhtmltopdf ruby1.9.3 libyaml-dev libxml2-dev libxslt1-dev  zlib1g-dev build-essential openssl libssl-dev libmysqlclient-dev libreadline6-dev
# gem install rails
# gem update

Install snorby

We’re going to fetch the latest version from Snorby from the Git tree.

git clone http://github.com/Snorby/snorby.git

Once snorby is downloaded, we proceed by installing a few dependencies.

# cd snorby && bundle install

Create 2 config files

You have to create 2 files in the config/ directory. First file is called database.yml and this is the contents.

# Snorby Database Configuration
#
# Please set your database password/user below
# NOTE: Indentation is important.
#
snorby: &snorby
  adapter: mysql
  username: snorby
  password: "s3cr3t"
  host: 127.0.0.1 # or the IP of your database server

development:
  database: snorby
  <

The second file is snorby_config.yml

production:
  domain: 'snorby.yourdomain.com' # can be changed to your domain
  wkhtmltopdf: /usr/bin/wkhtmltopdf # correct for Ubuntu 12.04
  ssl: false
  mailer_sender: 'snorby@yourdomain.com'  # can be changed 
  geoip_uri: "http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz"
  rules:
    - ""
  authentication_mode: database

Create database account

Before proceeding you have to create a database user that can connect from the snorby machine to your MySQL server. You also need to create a new database and give full rights for the new user to the new database. The user should and the database should be called “snorby”. The password should be the same password as the one used in “database.yml”.

Run the setup program for Snorby

The command should finalize the installation of Snorby on your system.

# bundle exec rake snorby:setup

Final step : run Snorby

This command will start Snorby without detaching from the console. It’s a good idea to use this the first time so you can check if any errors are reported.

bundle exec rails server -e production

If you didn’t get any errors, you should be able to access your Snorby installation using the following URL. This assumes you running Snorby and your webbrowser on the same machine. Adapt to your needs if necessary.

http://localhost:3000

The default login is ‘snorby@snorby.org’. Password is ‘snorby’. You’ll notice that the database is still empty. You’ll need a tool like Barnyard2 to send events from Snort to your Snorby database.

Configuring Barnyard2 event feed

This assumes you’ve installed Barnyard2 as described in this post. Add the following line to your /etc/snort/barnyard2.conf config file.

output database: log, mysql, user=snorby password=s3cr3t dbname=snorby host=localhost

Adapt the password and the host if necessary. They should match the database and password you used in the database.yml configuration file.
After restarting barnyard2, events will start to pop up in the GUI.

snorby-screenshot

Snorby Screenshot

Updating Snort Rules using Pulled Pork

In this previous post, I explained how to install Snort on Ubuntu 12.04. The next step is to make sure that your rules are up-to-date. This is accomplished by updating SNORT rules using Pulled Pork.  An IDS with an outdated rule set is as effective as an Antivirus product which hasn’t been updated for a couple of months. It only gives you a false sense of security. We’ll describe the steps you have to take for Updating Snort Rules using Pulled Pork.

This tool is not available for installation from the Ubuntu repositories. Therefor have to install the tool and any prerequisites on our own.

Install prerequisites

Pulled Pork requires 2 perl libraries. On Ubuntu, you can install them like this.

# apt-get install libcrypt-ssleay-perl liblwp-protocol-https-perl

Install Pulled Pork

I downloaded the most recent version. It’s critical to download the latest version from the trunk. Version 0.6.1 which is available for download doesn’t work anymore due to changes on the Emerging Threats website. You’ll get an error because the certificate isn’t valid.

root@ids:~# cd /usr/local/bin
root@ids:/usr/local/bin# wget http://pulledpork.googlecode.com/svn/trunk/pulledpork.pl
--2013-03-07 19:14:12--  http://pulledpork.googlecode.com/svn/trunk/pulledpork.pl
Resolving pulledpork.googlecode.com (pulledpork.googlecode.com)... 173.194.67.82, 2a00:1450:400c:c05::52
Connecting to pulledpork.googlecode.com (pulledpork.googlecode.com)|173.194.67.82|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 35444 (35K) [application/x-gzip]
Saving to: `pulledpork.pl'

100%[=====================================================================================================================================================================>] 35,444      --.-K/s   in 0.1s    

2013-03-07 19:14:12 (276 KB/s) - `pulledpork.pl' saved [35444/35444]

root@ids:/usr/local/bin# chmod 755 pulledpork.pl

Next I created a new directory in /etc for the configuration files.

root@ids:/usr/local/bin# mkdir /etc/pulledpork
root@ids:/usr/local/bin# cd /etc/pulledpork
root@ids:/etc/pulledpork# wget http://www.rivy.org/custom/pulledpork.conf

After fetching the config file, you still have to go to snort.conf, make an account to become a registered user and create your own personal oinkcode. You have the choice between getting the most recent signatures and signatures which are one month old. If you want to have the most recent signature, you have to pay a small fee. When you have your oinkcode, you can place it in pulledpork.conf.

Configuration of Snort

Since we want to enable the dynamic rules, we make sure the second line in /etc/snort/snort.conf is not commented anymore.

# path to dynamic rules libraries
dynamicdetection directory /usr/lib/snort_dynamicrules

And we also want to create that directory.

# mkdir /usr/lib/snort_dynamicrules

Remove all include rules from the main config by executing this.

sed -i '/^include $RULE_PATH/d' /etc/snort/snort.conf

And execute the following 2 commands to add the include rules.

echo "include \$RULE_PATH/snort.rules" >> /etc/snort/snort.conf
echo "include \$RULE_PATH/local.rules" >> /etc/snort/snort.conf

Delete the current rules

rm /etc/snort/rules/*.rules

Add the following variable to /etc/snort/snort.conf (first part of the file)

# List of file data ports for file inspection
portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]

Running of pulledpork

This command will run pulledpork and update your rules.

# pulledpork.pl -c /etc/pulledpork/pulledpork.conf
...
Rule Stats...
	New:-------185
	Deleted:---3
	Enabled Rules:----16662
	Dropped Rules:----0
	Disabled Rules:---15312
	Total Rules:------31974
No IP Blacklist Changes

Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!

After updating your rules, you always have to restart snort. Make sure that you didn’t get any errors during the restart. If you received errors, check the /var/log/syslog file and try to fix the issue.

# service snort restart
Updating Snort Rules using Pulled Pork

Installing Snort

This howto will explain how to install snort on Ubuntu 12.04. We start from an Ubuntu server with 2 interfaces. eth0 is the management interface. eth1 is the dedicated sniffing interface. The sensor is not inline. eth1 will be connected to a mirror port on the switch. I’m using a software switch called Open vSwitch. More info in this post. Of course you can also connect the interface to a physical port on a hardware switch. Just make sure to configure to port in mirror or SPAN mode.

Prepare the OS

By default, the unused interface eth1 will stay down. By adding the following to /etc/network/interfaces , the interface will be enabled at boot time.

auto eth1
iface eth1 inet manual
        up ifconfig $IFACE up

After rebooting the machine, the interface should be enabled automatically. You can now use tcpdump to test if the interface is UP. tcpdump should return a lot of traffic. That means that the mirror port is also working as expected.

 # tcpdump -ni eth1

Install Snort

The following command will download and install snort on your machine.

apt-get install snort

Proceed with answering all questions that popup during the installation process.

Adapt the default installation

After the installation, edit /etc/snort/snort.conf . Make sure to comment out all lines that start with ‘output’. Copy and paste the following output setting to your configuration file. If you forget this, you’ll have problems with Barnyard2.

output unified2: filename merged.log, limit 128

Also edit /etc/snort/snort.debian.conf and set the interface to eth1 instead of the default eth0

DEBIAN_SNORT_INTERFACE="eth1"

Reboot

Now it’s best to reboot the machine to make sure that you’re machine boots fine and automatically start snort to do intrusion detection on the network.

# reboot

After logging in, have a look in /var/log/snort/merged.conf . If all is well, it should log suspicious traffic to that file.

Install up-to-date rules

We’ve done everything to install snort on our machine. In the next post, I’ll explain how to install some up-to-date rules. This is necessary to make sure Snort is able to detect the latest threats.
This page is part of a series about a complete installation and configuration of Snort.

Snort LogoSnort is a registered trademark of Sourcefire, Inc.